Chrysler safety: re-using hyundai framework

rbiasini · rbiasini · commit cf3ecd629dd0 · 2018-12-28T19:20:57.000-08:00
diff --git a/board/safety/safety_chrysler.h b/board/safety/safety_chrysler.h
@@ -1,20 +1,20 @@
-// board enforces
-//   in-state
-//      ACC is active (green)
-//   out-state
-//      brake pressed
-//      stock LKAS ECU is online
-//      ACC is not active (white or disabled)
-
-// chrysler_: namespacing
-int chrysler_speed = 0;
-
-// silence everything if stock ECUs are still online
-int chrysler_lkas_detected = 0;
+const int CHRYSLER_MAX_STEER = 230;
+const int CHRYSLER_MAX_RT_DELTA = 112;          // max delta torque allowed for real time checks
+const int32_t CHRYSLER_RT_INTERVAL = 250000;    // 250ms between real time checks
+const int CHRYSLER_MAX_RATE_UP = 3;
+const int CHRYSLER_MAX_RATE_DOWN = 7;
+const int CHRYSLER_DRIVER_TORQUE_ALLOWANCE = 0; // TODO
+const int CHRYSLER_DRIVER_TORQUE_FACTOR = 0;    // TODO
+
+int chrysler_camera_detected = 0;
+int chrysler_rt_torque_last = 0;
 int chrysler_desired_torque_last = 0;
+int chrysler_cruise_engaged_last = 0;
+uint32_t chrysler_ts_last = 0;
+struct sample_t chrysler_torque_driver;         // last few driver torques measured
 
 static void chrysler_rx_hook(CAN_FIFOMailBox_TypeDef *to_push) {
-  int bus_number = (to_push->RDTR >> 4) & 0xFF;
+  int bus = (to_push->RDTR >> 4) & 0xFF;
   uint32_t addr;
   if (to_push->RIR & 4) {
     // Extended
@@ -26,40 +26,35 @@ static void chrysler_rx_hook(CAN_FIFOMailBox_TypeDef *to_push) {
     addr = to_push->RIR >> 21;
   }
 
-  if (addr == 0x144 && bus_number == 0) {
-    chrysler_speed = ((to_push->RDLR & 0xFF000000) >> 16) | (to_push->RDHR & 0xFF);
+  // TODO
+  if (addr == 544) {
+    int torque_driver_new = 0;
+    // update array of samples
+    update_sample(&chrysler_torque_driver, torque_driver_new);
   }
 
-  // check if stock LKAS ECU is still online
-  if (addr == 0x292 && bus_number == 0) {
-    chrysler_lkas_detected = 1;
-    controls_allowed = 0;
-  }
-
-  // ["ACC_2"]['ACC_STATUS_2'] == 7 for active (green) Adaptive Cruise Control
-  if (addr == 0x1f4 && bus_number == 0) {
-    if (((to_push->RDLR & 0x380000) >> 19) == 7) {
+  // enter controls on rising edge of ACC, exit controls on ACC off
+  if (addr == 0x1f4) {
+    int cruise_engaged = ((to_push->RDLR & 0x380000) >> 19) == 7;
+    if (cruise_engaged && !chrysler_cruise_engaged_last) {
       controls_allowed = 1;
-    } else {
+    } else if (!cruise_engaged) {
       controls_allowed = 0;
     }
+    chrysler_cruise_engaged_last = cruise_engaged;
   }
 
-  // exit controls on brake press by human
-  if (addr == 0x140) {
-    if (to_push->RDLR & 0x4) {
-      controls_allowed = 0;
-    }
+  // check if stock camera ECU is still online
+  if (bus == 0 && addr == 0x292) {
+    chrysler_camera_detected = 1;
+    controls_allowed = 0;
   }
 }
 
-// if controls_allowed
-//     allow steering up to limit
-// else
-//     block all commands that produce actuation
 static int chrysler_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
-  // There can be only one! (LKAS)
-  if (chrysler_lkas_detected) {
+
+  // There can be only one! (camera)
+  if (chrysler_camera_detected) {
     return 0;
   }
 
@@ -72,65 +67,77 @@ static int chrysler_tx_hook(CAN_FIFOMailBox_TypeDef *to_send) {
     addr = to_send->RIR >> 21;
   }
 
+  // LKA STEER: safety check
+
+
+
   // LKA STEER: Too large of values cause the steering actuator ECU to silently
   // fault and no longer actuate the wheel until the car is rebooted.
   if (addr == 0x292) {
     int rdlr = to_send->RDLR;
-    int straight = 1024;
-    int steer = ((rdlr & 0x7) << 8) + ((rdlr & 0xFF00) >> 8) - straight;
-    int max_steer = 230;
-    int max_rate = 50; // ECU is fine with 100, but 3 is typical.
-    if (steer > max_steer) {
-      return false;
-    }
-    if (steer < -max_steer) {
-      return false;
-    }
-    if (!controls_allowed && steer != 0) {
-      // If controls not allowed, only allow steering to move closer to 0.
-      if (chrysler_desired_torque_last == 0) {
-	return false;
-      }
-      if ((chrysler_desired_torque_last > 0) && (steer >= chrysler_desired_torque_last)) {
-	return false;
-      }
-      if ((chrysler_desired_torque_last < 0) && (steer <= chrysler_desired_torque_last)) {
-	return false;
+    int desired_torque = ((rdlr & 0x7) << 8) + ((rdlr & 0xFF00) >> 8) - 1024;
+    uint32_t ts = TIM2->CNT;
+    int violation = 0;
+
+    if (controls_allowed) {
+
+      // *** global torque limit check ***
+      violation |= max_limit_check(desired_torque, CHRYSLER_MAX_STEER, -CHRYSLER_MAX_STEER);
+
+      // *** torque rate limit check ***
+      violation |= driver_limit_check(desired_torque, chrysler_desired_torque_last, &chrysler_torque_driver,
+        CHRYSLER_MAX_STEER, CHRYSLER_MAX_RATE_UP, CHRYSLER_MAX_RATE_DOWN,
+        CHRYSLER_DRIVER_TORQUE_ALLOWANCE, CHRYSLER_DRIVER_TORQUE_FACTOR);
+
+      // used next time
+      chrysler_desired_torque_last = desired_torque;
+
+      // *** torque real time rate limit check ***
+      violation |= rt_rate_limit_check(desired_torque, chrysler_rt_torque_last, CHRYSLER_MAX_RT_DELTA);
+
+      // every RT_INTERVAL set the new limits
+      uint32_t ts_elapsed = get_ts_elapsed(ts, chrysler_ts_last);
+      if (ts_elapsed > CHRYSLER_RT_INTERVAL) {
+        chrysler_rt_torque_last = desired_torque;
+        chrysler_ts_last = ts;
       }
     }
-    if (steer < (chrysler_desired_torque_last - max_rate)) {
-      return false;
+
+    // no torque if controls is not allowed
+    if (!controls_allowed && (desired_torque != 0)) {
+      violation = 1;
+    }
+
+    // reset to 0 if either controls is not allowed or there's a violation
+    if (violation || !controls_allowed) {
+      chrysler_desired_torque_last = 0;
+      chrysler_rt_torque_last = 0;
+      chrysler_ts_last = ts;
     }
-    if (steer > (chrysler_desired_torque_last + max_rate)) {
+
+    if (violation) {
       return false;
     }
-    
-    chrysler_desired_torque_last = steer;
   }
 
+  // FORCE CANCEL: safety check only relevant when spamming the cancel button.
+  // ensuring that only the cancel button press is sent (VAL 4) when controls are off.
+  // This avoids unintended engagements while still allowing resume spam
+  // TODO: fix bug preventing the button msg to be fwd'd on bus 2
+  //if (((to_send->RIR>>21) == 1265) && !controls_allowed && ((to_send->RDTR >> 4) & 0xFF) == 0) {
+  //  if ((to_send->RDLR & 0x7) != 4) return 0;
+  //}
+
   // 1 allows the message through
   return true;
 }
 
-static int chrysler_tx_lin_hook(int lin_num, uint8_t *data, int len) {
-  // LIN is not used.
-  return false;
-}
-
-static void chrysler_init(int16_t param) {
-  controls_allowed = 0;
-}
-
-static int chrysler_fwd_hook(int bus_num, CAN_FIFOMailBox_TypeDef *to_fwd) {
-  return -1;
-}
 
 const safety_hooks chrysler_hooks = {
-  .init = chrysler_init,
+  .init = nooutput_init,
   .rx = chrysler_rx_hook,
   .tx = chrysler_tx_hook,
-  .tx_lin = chrysler_tx_lin_hook,
+  .tx_lin = nooutput_tx_lin_hook,
   .ignition = default_ign_hook,
-  .fwd = chrysler_fwd_hook,
+  .fwd = nooutput_fwd_hook,
 };
-
diff --git a/tests/safety/libpandasafety_py.py b/tests/safety/libpandasafety_py.py
@@ -42,6 +42,7 @@
 void set_cadillac_torque_driver(int min, int max);
 void set_gm_torque_driver(int min, int max);
 void set_hyundai_torque_driver(int min, int max);
+void set_chrysler_torque_driver(int min, int max);
 void set_toyota_rt_torque_last(int t);
 void set_toyota_desired_torque_last(int t);
 int get_toyota_torque_meas_min(void);
@@ -84,8 +85,9 @@
 void init_tests_chrysler(void);
 void chrysler_rx_hook(CAN_FIFOMailBox_TypeDef *to_push);
 int chrysler_tx_hook(CAN_FIFOMailBox_TypeDef *to_send);
-void chrysler_init(int16_t param);
 void set_chrysler_desired_torque_last(int t);
+void set_chrysler_rt_torque_last(int t);
+
 
 """)
 
diff --git a/tests/safety/test.c b/tests/safety/test.c
@@ -26,6 +26,7 @@ struct sample_t toyota_torque_meas;
 struct sample_t cadillac_torque_driver;
 struct sample_t gm_torque_driver;
 struct sample_t hyundai_torque_driver;
+struct sample_t chrysler_torque_driver;
 
 TIM_TypeDef timer;
 TIM_TypeDef *TIM2 = &timer;
@@ -81,6 +82,11 @@ void set_hyundai_torque_driver(int min, int max){
   hyundai_torque_driver.max = max;
 }
 
+void set_chrysler_torque_driver(int min, int max){
+  chrysler_torque_driver.min = min;
+  chrysler_torque_driver.max = max;
+}
+
 int get_toyota_torque_meas_min(void){
   return toyota_torque_meas.min;
 }
@@ -105,6 +111,10 @@ void set_hyundai_rt_torque_last(int t){
   hyundai_rt_torque_last = t;
 }
 
+void set_chrysler_rt_torque_last(int t){
+  chrysler_rt_torque_last = t;
+}
+
 void set_toyota_desired_torque_last(int t){
   toyota_desired_torque_last = t;
 }
@@ -181,18 +191,22 @@ void init_tests_hyundai(void){
   set_timer(0);
 }
 
+void init_tests_chrysler(void){
+  chrysler_torque_driver.min = 0;
+  chrysler_torque_driver.max = 0;
+  chrysler_desired_torque_last = 0;
+  chrysler_rt_torque_last = 0;
+  chrysler_ts_last = 0;
+  set_timer(0);
+}
+
 void init_tests_honda(void){
   ego_speed = 0;
   gas_interceptor_detected = 0;
   brake_prev = 0;
   gas_prev = 0;
 }
 
-void init_tests_chrysler(void){
-  chrysler_desired_torque_last = 0;
-  set_timer(0);
-}
-
 void set_gmlan_digital_output(int to_set){
 }
 
diff --git a/tests/safety/test_chrysler.py b/tests/safety/test_chrysler.py
